Microsoft raid targets cyber Mafia intel

Microsoft took matters in its own hands regarding a major cybersecurity issue. The company, with the blessing of federal officials, seized control of servers at two rogue hosting companies.

NEW YORK (CNNMoney) -- If you thought "The Sopranos" was the quintessential modern-day mob drama, you haven't yet heard what Microsoft did on Friday.

Microsoft (MSFT, Fortune 500) employees, escorted by U.S. Marshals, raided two Web hosting companies on Friday. Microsoft seized command and control servers and hundreds of websites used by the cyber Mafia to steal more than $100 million over the past five years.

The servers, located in Scranton, Pa., and Lombard, Ill., were the main tools the organized crime ring used to control a sizable chunk of the 13 million computers infected with a particularly nasty strain of malware. Called "Zeus," the computer bug is primarily used to steal users' bank account information.

Typically, raids against the mob and bank robbers are conducted by the federal government. Though those investigations usually result in arrests, they can take years to complete, and by the time they are acted upon, the bad guys have often already closed up shop and moved on.

Microsoft, by contrast, filed a civil suit against the crime ring on March 19, and the company was issued a warrant to seize the servers on March 23. That four-day turnaround is virtually unprecedented in the fight against cybercrime.

To accomplish that feat, Microsoft employed a clever legal maneuver. The software giant based its petition for the warrant on the Racketeer Influenced and Corrupt Organizations Act, typically used against the Mafia. By using the RICO Act, Microsoft was able to go after anyone associated with the Zeus criminal enterprise.

"With this action, we've disrupted a critical source of money-making for digital fraudsters and cyberthieves, while gaining important information to help identify those responsible and better protect victims," said Richard Boscovich, senior attorney for the Microsoft Digital Crimes Unit, in a statement. "Today is a particularly important strike against cybercrime that we expect will be felt across the criminal underground for a long time to come."

The Zeus malware is typically installed on PCs of unwitting users who click on phishing links or attachments in spam e-mails. Once infected, the Zeus malware installs a keylogger on the user's computer. When a user visits a banking or e-commerce site, cybercriminals can steal that person's credit card or banking information.

The Zeus malware also networks with other infected computers to form what's known as a "botnet." Cyber mob members typically use Zeus botnets to send out hundreds of millions of spam messages each month from infected users' e-mail accounts in hopes that more PCs become infected.

Security experts have described Zeus as the most successful bank robber of all time. Microsoft said there were 3 million computers infected with Zeus in the United States and 10 million others around the world.

In years past, Microsoft had unsuccessfully tried to take down entire Zeus botnets. But that proved difficult, considering the Hydra-like makeup of the botnet. Cutting off one of its many heads doesn't kill it.

This time, Microsoft isn't going for the kill. Rather, the company is hoping to analyze data stored on and sent by the servers to identify the organized cybercriminals and disinfect computers hit by the Zeus bug. It then will try to go after more and more servers, making operating conditions for Zeus botmasters increasingly difficult.

"This is a battle won, but the war is far from over," said Karim Hijazi, CEO of Unveillance, a company that monitors and attempts to commandeer botnets. "Even if it doesn't cure the problem, the awareness that Microsoft has built up from this action will result in a much more expensive domain for the bad guys to work in."

Hijazi said there was a small but noticeable dip in Zeus botnet traffic after Microsoft completed the raids.

The raids were conducted at Web hosting companies BurstNet, located in Scranton, and Continuum Data Centers in Lombard, which is just outside of Chicago.

Neither company knew of the raid in advance. Joe Marr, BurstNet's chief technology officer, said that without knowing specifically what to look for, there was no indication that one of his company's servers was acting as Zeus command and control devices. A spokesman from Continuum did not respond to requests for comment.

Microsoft partnered with the Financial Services Information Sharing and Analysis Center and the National Automated Clearing House Association in its raids on Friday.